The document provides an overview of the OWASP Cheat Sheet Series, which aims to collect useful information about web application security in one place. It lists several active and draft cheat sheet topics, including authentication, input validation, SQL injection, session management, and secure coding. One sample cheat sheet discussed in more detail is about transport layer protection, covering benefits, requirements, rules, and testing of TLS/SSL. The logging cheat sheet section discusses logging purposes, event sources, where and what events to log, what not to log, and testing considerations.
7. Transport Layer Protection
• Benefits
– Provide protection against eavesdroppers and
tampering of data while in transit
– Validation of the server or services being
communicated with
– Additional factor of authentication with client side
certificates
• Requirements
– PKI and CRL or OSCP availability
8. Transport Layer Protection
• Rules
– Use TLS for login/authentication Pages
– Use TLS regardless of the network
– Do not allow for both TLS and non-TLS to be mixed
in with the page content
– Keep sensitive information out of URLs
https://example.com/mysecrets/passreset?newpas
s=test
9. Transport Layer Protection
• Rules
– Provide support for only strong Ciphers
– Disable SSLv2
• Apache
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH
:+MEDIUM
10. Transport Layer Protection
• Rules
– Provide support for only strong Ciphers
– Disable SSLv2
• Windows
To disable weak ciphers, a new DWORD needs to be created with a value name of
Enabled and a value of 00000000 under the following registry keys:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe
rsDES 56/56
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe
rsRC2 40/128
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe
rsRC4 40/128
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe
rsRC4 56/128
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe
rsNULL
To disable the SSLv2, a new DWORD needs to be created with a value name of Enabled
and a value of 00000000 under the following registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProto
colsSSL2.0Server
14. Logging
• Purpose
– Help provide guidance on building logging into
applications
– Normal Firewall, Web Server, Database, etc logs
may not be enough or contain enough
information
16. Logging
• Where are events recorded?
– File system
– Database
– Local database used by the application
17. Logging
• What events should we be logging?
– Authentication attempts
– Authorization failures
– Modifications to privileges
– System startup and shutdown events
– Input validation failures
18. Logging
• What attributes should we be logging?
– Data and time
– Application identifier
– Event severity
– User name or identity
19. Logging
• What activities should we not be logging?
– Session identification values
– Personal Identifiable Information
– Passwords
– Database connection strings
20. Logging
• Testing
– Ensure permissions are set appropriately
– Test for log injection possibilities
Apr 26 15:09:05 fry sshd[19119]: User root from
10.0.0.1 not allowed because not listed in
AllowUsers
ssh “root from 10.0.15.1 not allowed because not
listed in AllowUsers”@10.0.15.1
21. References
OWASP Cheat Sheet Site
https://www.owasp.org/index.php/Cheat_Sheets
Guide To Computer Security Log Management
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
Log Injection Attack and Defence
http://www.stratsec.net/getattachment/ab1067fa-9da7-427f-809d-
ddb6d69991a1/stratsec---Grzelak---Log-Injection-Attack-and-Defence.pdf